{"id":158458,"date":"2024-07-23T15:09:16","date_gmt":"2024-07-23T13:09:16","guid":{"rendered":"https:\/\/www.fma.gv.at\/?page_id=158458"},"modified":"2026-02-13T13:51:15","modified_gmt":"2026-02-13T12:51:15","slug":"dora-managing-of-ict-third-party-risk","status":"publish","type":"page","link":"https:\/\/www.fma.gv.at\/en\/cross-sectoral-topics\/dora\/dora-managing-of-ict-third-party-risk\/","title":{"rendered":"DORA \u2013 Managing of ICT third-party risk"},"content":{"rendered":"
\"\"<\/span>
\n

Managing of ICT third-party risk<\/strong><\/p>\n<\/div><\/div>

<\/div>

Financial entities manage the third-party risk of information and communication technologies (ICT third-party risk) across the entire life cycle. The ICT third-party risk is the ICT-related risk that may arise in conjunction with the usage of ICT services that are provided by ICT third-party service providers or their subcontractors. <\/p>

In addition to the requirement to operate a register of information about ICT third-party service providers, the rules cover the drawing up of a strategy for ICT third-party risk, about conducting of due diligence checks prior to using ICT services, the contents of contracts and exit strategies.<\/p>

Register of Information<\/h2>

The register contains information about all ICT services that are directly provided by ICT third-party service providers. Sub-outsourcings are also required to be listed that support ICT services, critical or important functions or a material part thereof.<\/p>

Such registers of information are required to be submitted to the competent authorities in full at the latter’s request.<\/p>

The FMA requires the submission of a complete register of information pursuant to Article 28 (3) 4th subparagraph of the Regulation (EU) 2022\/2554 for classifying ICT third-party service providers that are critical for financial undertakings, or for confirming the classifications conducted by the ESAs in 2025 and for effective supervision of financial undertakings.<\/p>

The register of information is required to take place either at individual entity level or at the highest level of consolidation of a group within the EU. The rules are defines in Article 3 of the European Supervisory Authorities (ESA) Decision (ESA Decision of 8 November 2024 concerning the reporting by competent authorities to the ESAs of information necessary for the designation of critical ICT third party service providers in accordance with Article 31(1)(a) of Regulation (EU) 2022\/2554 – ESA 2024 22<\/a>).<\/p>

The reference date for the data contained in the register of information is 31 December of the preceding year.<\/p>

The submission to the FMA as the competent authority takes place from 16.02.2026 until 13.03.2026 via the Incoming Platform.<\/p>

Please make use of the opportunity for testing already provided by the FMA to identify problems prior to the submission period. The submission will be rejected if the validation rules are not met. <\/p>

The Excel template that is required to be used when submitting the register of information to the FMA, can be found here:<\/p>

FMA_Template_RoI_1_4_DE (Format: <\/span>xlsx, Size: <\/span>3,8 MB, Language: <\/span>German)<\/a>\n\n\n\n<\/p>

FMA_Template_RoI_1_4_EN (Format: <\/span>xlsx, Size: <\/span>3,8 MB, Language: <\/span>English)<\/a>\n\n\n\n<\/p>

The following file contains an overview of the full options of drop-down list boxes to assist you in filling out the template:<\/p>

FMA_RoI_Template_Dropdown_inklusive_ItemCodes (Format: <\/span>xlsx, Size: <\/span>59,7 KB, Language: <\/span>German)<\/a>\n\n\n\n<\/p>

Since 02.04.2025 it has also been possible to submit EBA codes (by copying them) instead of plain text in the FMA template. This also allows conversion from XBRL format into the template by directly copying the values, without using lookups or the VLOOKUP function.<\/p>

The submitted information is used to identify critical ICT third-party service providers and are also used in the supervisory process, e.g. in conjunction with the reporting of major ICT-related incidents.<\/p>

Furthermore, financial entities shall inform the competent authority in a timely manner about any planned contractual arrangement on the use of ICT services supporting critical or important functions as well as when a function has become critical or important.<\/p>

Strategy for ICT third-party risk<\/h2>

The management body shall adopt this strategy and regularly check risks that are identified in conjunction with the contracts for using ICT services for supporting critical or important functions. ICT concentration risk at enterprise level is also evaluated.<\/p>

Due diligence<\/h2>

Prior to the conclusion of contracts financial entities conduct comprehensive reviews of ICT third-party service providers. For example, contracts are only allowed to be concluded with service providers that observe adequate standards for information security.<\/p>

Contractual agreements<\/h2>

The minimum content of contracts, for example the termination rights or the notification requirements in the case of an intended change of location, are prescribed. For ICT services that include critical or important functions, additional elements apply, e.g. The services to be agreed upon during a transitional period until the change to another ICT third-party service provider or performing services in-house.<\/p>

Exit strategies<\/h2>

The objective is potentially getting out of contractual agreements, without interruption to business activities, and maintaining the continuity and quality of the services provided. Contingency measures, alternative solutions and transition plans are identified for this purpose. Furthermore, exit plans are also tested and regularly checked.<\/p>

Questions and Answers<\/h2>